# 개념

### 공격자 정보

공격자 도메인: koreambtihealth.com

### 타겟 정보

* 타겟 내부망 도메인: choi.local
* 타겟 피해자 유저: <h.park@choi.local>

### TTP 정보

1. 초기 침투
   1. 피싱 이메일 + HTML 스머글링
   2. 피해자 유저가 사내 내부망에서 자신의 개인 이메일 확인 -> 스머글링에 걸림
   3. VBS Purged maldoc OR remote template injection maldoc OR DotNetToJscript (.js) file. If using maldocs, potentially use .zip protected? Or go for XSL + DotNetToJscript for executing xsl + Jscript
      1. Embedded C# stager should use direct syscall (modified dinvoke) + AMSI/ETW bypass + ppid spoofing + process injection to inject shellcode into a remote process
   4. Nope, using iso payload + lnk + dll sideloading (and hidden attributes) + sliver or Covenant.
   5. Local enumeration + Domain enumeration
   6. Kerberoasting service acocunt + Cracking
   7. Gaining the service account with kerberoasting + accessing another workstation -> dumping LSASS using handlekatz from powershell + AMSI bypass
   8. DA creds and yay!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.xn--hy1b43d247a.com/real-attack-ttp-and-mitigations/concepts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.